Oracle Cloud Infrastructure Documentation

Self-Provision the Device

The latest Roving Edge devices and Roving Edge Ultras ship from the factory to eligible realms with only a small installer OS. To enhance security and flexibility in assigning devices to different projects, the installer OS enables you to self-provision the device at your location instead of Oracle provisioning the device. As part of the installation process, you self-provision the device. Self-provisioning involves configuring device network settings, connecting to your OCI tenancy, setting up device credentials, and installing the full Roving Edge software.

To self-provision a device, perform the following tasks:

If you encounter problems, see Troubleshooting: Self-Provisioning

Determine If the Device Needs to be Self-Provisioned

Some devices are provisioned at the factory by Oracle and other devices are self-provisioned on-site by you.

Look at the serial console main menu.

  • If you see the following menu heading, follow the instructions in this section to self-provision the device. See Prepare to Self-Provision the Device,

    Roving Edge Basic Configuration Interface
Number selects a menu item, Enter accepts the selection, Ctrl+Z refreshes the menu, Ctrl+C returns to main menu, Backspace deletes a character.

1) Configure Networking
2) Set Up OCI Connectivity
3) Set Up Credentials
4) Install Roving Edge
5) Advanced Operations
 
Select option (1-5):

  • If you see the following menu heading, the device was provisioned at a secure Oracle facility. Go to Configure Network Parameters for a Factory Provisioned Device.

    Roving Edge Device
   -----------------------
1) Unlock Device
2) Change Passphrase
3) Configure Networking
4) Show Status
5) Show System Diagnostics
6) Shutdown Device
7) Reboot Device
8) Enter Safe-Mode
9) Exit Safe-Mode
10) Shred Key
11) Recover Key
12) Reset Device
13) Advanced Menu
14) Cluster Health
15) Node Health
16) Diagnostics
17) Help

Prerequisites

The following tasks must be completed before you can self-provision the device:

Prepare to Self-Provision the Device

  1. Have your device Activation code. The code is a unique character string. Oracle provides you with the activation code when you request a device. If you don't have it, check with the person who requested the device. Example activation code:

    ABCD-EFGH-7YFH-5IFP-7P6V-TSDW-G4DL-IQWZ-C6IO-OBGQ-SGY2-UQMX-2YMN-QOH3-JDPA-T7TD-2QE4-Q5FR-1234-56

  2. Sign in to the OCI tenancy where the new device node was created, and get the following information:

    • Node OCID – Copy the OCID for the node associated with this device:

      While signed in to the tenancy, in the navigation menu, select Hybrid, then select Nodes. Select the node that was created for this device. Select the OCID copy button. Paste the OCID where you can retrieve it later.

      Example: ocid1.rovernode.<realm>.<region>.<unique-id>

  3. While signed in to your tenancy, perform the following steps to create an OCI Vault secret so that you can back up the recovery key:

    1. Create or select an existing vault. (For details, see Creating a Vault.):

      1. In the navigation menu , select Identity & Security, and then select Vault.

      2. Select an existing vault or create a new vault with the following parameters

        • Name: Example, REDBackup
        • Assign the vault as default or Virtual Private.

    2. On the Master Encryption Keys list page for the vault you're using, select Create Key. This key is used to encrypt secrets in the next step. Specify the following parameters. (For details, see Creating a Master Encryption Key.):

      • You can select either options for Protection Mode.
      • Name: Example, REDBackupMasterKey
      • Key Shape: Algorithm: you must select AES. The other two algorithms, RSA and ECDSA, can't be used as encryption key for secret.
      • Key Shape: Length you can select any of the options provided.
    3. On the Secrets list page, select Create Secret. Specify the following parameters. (For details, see Creating a Secret.)

      • Name: Example, <device-node-name>-recovery-key.

        We recommend using a meaningful and unique name, such as <device-node-name>-recovery-key. This is especially helpful for identifying the correct key when you have multiple devices.

      • Method: Select Manual secret generation.
      • Select Secret Type Template as Plain-Text and in Secret Contents enter RED_RECOVERY_KEY. This initial content helps prevent unexpected secret overwriting.
      • Secret rotation: Leave this section blank.

    4. Copy the Secret OCID for later use.

      Note

      If a device is reprovisioned, its recovery key is updated. We recommend storing each recovery key in a separate secret, distinct from previous keys, or those used by other devices.
      Important

      Ensure that the device’s active recovery key is properly secured to prevent unauthorized access.

  4. Establish a temporary OCI CLI session in the terminal emulator on your controlling host:

    For more information, see Token-based Authentication for the CLI.

    Note

    The session expires after 24 hours. If self-provisioning takes longer than that, you must establish a new session.

    1. Generate a session token by creating a temporary session that's used to authenticate with OCI during self-provisioning:

      oci session authenticate

    2. Display the configuration file that was created for the temporary session.

      You refer to this output in a subsequent task called Set Up Connectivity to OCI. Example:

      cat ~/.oci/config
[profile]
fingerprint = 1a:2b:3c:4d:5e:6f:7g:8h:9i:0k:e7:07:fa:b0:34:56
key_file = /Users/user1/.oci/sessions/profile/oci_api_key.pem
tenancy = ocid1.tenancy.oc1..unique-id
region = us-phoenix-1
security_token_file = /Users/user1/.oci/sessions/profile/token

What's Next?

Configure Device Networking

Configure Device Networking

This task configures the device network settings to enable access to the public network.

When working with the serial console menus, enter the menu number for the menu option.

  1. From the local computer that's displaying the serial console Basic Configuration Interface menu, select Configure Networking.

  2. Use the menu options to configure the device network parameters according to your network environment. Configure these parameters:

    • IP address: Enter an IP address using one of the these formats:

      A.B.C.D/P or A.B.C.D/M (P - prefix length or M - netmask). Example: 203.0.113.2/24

    • Gateway: Enter the gateway IP address. Example: 203.0.113.1

    • DNS servers: Enter DNS servers IP addresses, as A.B.C.D, separated by comma. Example: 216.146.35.35, 216.146.36.36

    • (Optional, but recommended) NTP servers: Enter NTP server IP addresses separated by a comma. Example: 203.0.113.15, 203.0.113.16, 203.0.113.17

    • (Don't use) Proxy URL: Don't specify a proxy URL. See The Roving Edge installer proxy URL isn't working.

  3. Select Test network connectivity to OCI. The device makes an HTTP call to oracle.com to verify public network access and name resolution.

  4. Select Check OCI server clock and device clock. The device fetches the OCI server clock and compares it with the device clock.

    Authentication fails if the client's clock is skewed more than 5 minutes from the server's clock. For more information, see Maximum Allowed Client Clock Skew. If the device clock is skewed more than 5 minutes from the server clock, reenter the NTP servers to update and sync the time. Then run the clock check again.

What's Next?

Set Up Connectivity to OCI

Set Up Connectivity to OCI

This task registers the device with OCI. Registration links the device with the corresponding device order in the OCI Cloud Console.

  1. In the serial console, type Ctrl+C to return to the Basic Configuration Interface (main menu).
  2. Select Set Up OCI Connectivity.
  3. Select Region: Enter the region listed in the config file output. Examples: us-ashburn-1, uk-london-1, us-phoenix-1
  4. Select Node OCID: Enter the OCID from Prepare to Self-Provision the Device, Step 2.

  5. Select Secret OCID (if available): Perform one of the following actions:

  6. Select Session token: Enter the contents of the security_token_file that's listed in the config file output.

    Only select the session token output. Omit any % symbols and any characters after the % symbol. In the following example, % user1 OC1_CUSTOMER $ isn't copied and entered.

    $ cat token && echo ""
abcdefghijklmnopqrstuvwxyzeyJraWQiOiJhc3dfaWFkXzE3MTU2NDgwNzIzNzciLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJvY2lkMS51c2VyLm9jMS4uYWFh
.
.
.
IjETGPAyLLife-sOZU0qRaWodAcTdV3CewWJZDRnD4yyZy5oz7qlJ6c1SQaMLZXVQvN3G-jQERQ9xVFJIM1HZB8Tbmx4hcEAIlC6V0SDef8dLBWat0I-MLwuIZX
hia04-YzxddQ12345677890 
$

  7. Select Session private key: Enter the contents of the key_file that's listed in the config file output.

    Only copy the lines starting with BEGIN PRIVATE KEY and ending with END PRIVATE KEY. Omit any other characters. In the following example, OCI_API_KEY% user1 OC1_CUSTOMER $ $ isn't copied and entered.

    $ cat oci_api_key.pem | sed '$d'
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD7EqlbJj7l1DD0
.
.
.
QEuLAD1TE6M312345677890==
-----END PRIVATE KEY-----
$

    After you paste the key, press Return twice to exit input mode.

  8. Select Activation code: Enter the activation code that was provided to you by the sales representative.

  9. Select Register device to OCI.

    The device serial number is registered to the OCI node in your tenancy, Complete Device Registration runs automatically, and the following output is displayed: 

    Complete Device Registration succeeded.
Go to the main menu (Ctrl+C), and select:
3) Set Up Credentials

Press any key to continue

    If this step fails, try it again by running Complete Device Registration.

  10. (Optional) Verify that the serial number registered with the node in your tenancy matches the serial number on the device. For Roving Edge 2 devices, see Roving Edge Device 2 – Front Panel.

What's Next?

Set Up Credentials

Set Up Credentials

This task creates a passphrase, password, and recovery key. Descriptions of each credential are provided in the following steps.

Important

You must store the device unlock passphrase, password, and recovery key in a secure place such as OCI Vault or somewhere equivalent. If you forget the unlock passphrase and are unable to find the recovery key, Oracle can't help you recover the device, and the device must be replaced.

  1. In the serial console, type Ctrl+C to return to the Basic Configuration Interface (main menu).

  2. Select Set Up Credentials.

  3. Select Device Unlock Passphrase, then enter a passphrase.

    After the device is self-provisioned, the master key passphrase is used to unlock the device. Until the device is unlocked, the device has limited functionality.

    The first time you use this passphrase to unlock the device, you're prompted to change the passphrase.

    Passphrase requirements:

    • Minimum Length: 8 characters

    • Maximum Length: 64 characters

    • Must Include the following characters:

      • One lowercase character
      • One uppercase character
      • One digit
      • One special char from this list:
        [ ] ! @ # % ^ & * ( ) _ = + " ` ~ $ - { } | \ ; < > . / ? ,

    If you need to manage this password in the future, see Changing the Passphrase.

  4. Select Web Console UI Password (root user), then enter a password.

    The password is used to access the Roving Edge Web UI Console which is used to manage resources on the device.

    The first time you use this password to access the Roving Edge Web UI Console, you're prompted to change the password.

    If you need to manage this account and password in the future, see User Credentials for Roving Edge Infrastructure.

  5. Select Recovery Key.

    Note

    The recovery key might be needed later if you forget the master key passphrase, or if the master key is shredded because of multiple failed sign-in attempts.

  6. After the key is saved, press Return.

  7. Choose to either hide or unhide the credentials by selecting the appropriate menu option.

What's Next?

Download and Install Software

Download and Install Software

The device is shipped with a small installer OS. In this task, you download and install the complete Roving Edge software.

The software file size is about 25 GB. We recommend that you use a high-speed network for this task.

Important

Don't interrupt the download or installation processes.
  1. In the serial console, type Ctrl+C to return to the Basic Configuration Interface (main menu).

  2. Select Download installation files.

    Wait for the download to complete.

  3. Select Start installation.

    The installation completes within 10 minutes, then the device reboots. The reboot can take another 10 minutes. When the reboot is finished, the following Roving Edge Device menu is displayed.

    Roving Edge Device
   -----------------------
1) Unlock Device
2) Change Passphrase
3) Configure Networking
4) Show Status
5) Show System Diagnostics
6) Shutdown Device
7) Reboot Device
8) Enter Safe-Mode
9) Exit Safe-Mode
10) Shred Key
11) Recover Key
12) Reset Device
13) Advanced Menu
14) Cluster Health
15) Node Health
16) Diagnostics
17) Help

    All future access to the serial console requires the device unlock passphrase.

    If the installation fails, the interface displays a BASE64 encoded string which contains a compressed archived with the logs. For example:

    BASE64 encoded output for the logs archive follows:
============
<BASE64_string>
============

    Copy and save the BASE64 output (text in between === lines) to a file. Then send the file to Oracle Support. See Collecting Self-Provisioning Logs. You can also restart the installation.

What's Next?

Unlock the Device